I have one client...
who's symptoms suggested that the PC was redirected to a fake Microsoft update site. There were two incidents on this same machine. One used a window that was not obviously Internet Explorer, this one looked just like the built in updater for Windows 7. The other one was an obvious fake, as it used IE9, and the update page looked like an XP update cycle.
The convincing update was concerning, because it downloaded what looked like a lot of legitimate updates, but one of them marked 1033 was suspicious, and trouble soon followed. Maybe this was just a typical DNScache attack, but I still felt like MS had some compromised certificates in the deal. I'm not sure if MS ever admitted to this, but I see many suggestive comments to the problem on several forums. Needless to say a lot of updates were reported as failed on the legitimate updater.
It wouldn't be the first time a major root certificate was kifed.
